In the children’s fable of Chicken Little, the eponymous chick laments the end of the world after an acorn falls on her head and she mistakes it for a piece of the sky. This European folk tale has nicely encapsulated businesses’ view of their security organizations for many years.

But, as “The Byrds” prophesized in 1965, the times they are a-changin’.

Welcome to 2021 where we’re (hopefully) on the back end of the COVID-19 pandemic but our workforces remain (mostly) remote or (at best) hybrid. That’s a lot of parentheses for one sentence, but it’s difficult to characterize today’s work environment by norms. There aren’t any norms, other than the indisputable fact that our organizations currently exist in a risk environment that none of us have ever experienced before.

Our adversaries have become enterprises unto themselves and mostly exist beyond the reach of our laws or retributions. Our organizations have become critically reliant upon their IT systems to make their businesses productive and competitive, particularly as many shifted to remote work in 2020. Despite daily headlines highlighting stories like the Colonial Pipeline attack, or the SolarWinds software breach and the resulting investor lawsuit, many businesses have fallen into a state of complacency in which they believe they are not the targets of those adversaries, but everyone else is.

The 2021 IDG Security Priorities Study – now in its fifth year – is showing some remarkable shifts in how businesses address information security risks, and the continuance of some trends we have been watching for years. Here are a few of the highlights:

  • The top priority for organizations is to “be appropriately prepared to respond to a security incident”, but other top priorities also include “protecting critical data”, “improving security awareness among end-users”, “improving corporate resiliency”, and “reducing IT complexity”. All of these remain generally consistent with our findings over the past five years.
  • Security leaders (CSOs, CISOs, etc.) increasingly report to corporate leadership (the number of security leaders reporting to the CEO jumped from 34% in 2020 to 44% in 2021), are seeing growing compensation (up 9% from the prior year), and are expanding their responsibilities to, once again, include ownership of physical security. However, they struggle to convince their broader organizations as to the scope and severity of the risks they face, and with resourcing (budget, staffing, etc.).
  • Most security incidents continue to originate with non-malicious user errors (e.g. clicking on links in those phishing emails), but unpatched software vulnerabilities, third-party risks, and misconfigured services are also significant sources of incidents.
  • This year’s study also investigated risks posed to operational technology (OT) environments. OT risks to the business are significant, have vulnerabilities that 38% identified as significant or grave, and remain notoriously difficult to secure.
  • While security organizations continue to add new technology tools, they are also focusing more attention on reviewing the technologies they already have for their effectiveness and utilization.
  • Many are moving beyond traditional blocking & tackling technologies to embrace and adopt advanced security solutions like SASE, SOAR, XDR, and Deception Technology. The study also notes the continuing move of security services and solutions from on-prem to off-prem.
  • Two years ago, Zero Trust was an interesting concept but one whose “lift” was likely too great for the average 900 employee company. In 2021, and under the shadow of new risk and work environments, more are throwing-in with Zero Trust and trying to figure out how to make it work for them.
  • Information security budgets can be characterized as stable (54%) or growing (44%) as CSOs increased influence within the business, and the worsening threat environment, convinces (drives) businesses to invest more in information security as they seek to remediate existing and emerging risks. This year saw the lowest number saying their budgets were being cut (2%) that I can recall in the past 20 years.

The next few years present a promising opportunity for security leaders to continue elevating their role within the business and proving their value to corporate leadership. But if over the past two years they have benefited from the belief that their prognostications have been accurate… the sky really was falling…their challenge now is to prove that they can hold its collapse at bay.

To learn more about the results of this year’s IDG Security Priorities Study, download the Executive Summary.